Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

asterisk #2

Open
rodrigo-p-a opened this issue Jan 17, 2021 · 5 comments
Open

asterisk #2

rodrigo-p-a opened this issue Jan 17, 2021 · 5 comments

Comments

@rodrigo-p-a
Copy link

can u provide example for use with asterisk?
@jrbrtsn
Copy link
Owner

jrbrtsn commented Jan 18, 2021

I don't have any experience with asterisk. ban2fail searches for patterns in log files when they change using the regular expression facility found in glibc.

@rodrigo-p-a
Copy link
Author

It work, but have problem with timestamp... ill try solve then put here

LOGTYPE asterisk {

DIR= /var/log/asterisk
PREFIX= messages

TIMESTAMP asterisk_ts {
REGEX= (\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})
STRPTIME= %Y-%m-%d %H:%M:%S
}

TARGET worm {
REGEX = NOTICE.failed for.'([0-9.a-f:]+):
}

}

@jrbrtsn
Copy link
Owner

jrbrtsn commented Jan 18, 2021

Without a sample matching line from the log file, I can't pinpoint your problem. One easy way to debug the REGEX's is to use the built-in bash REGEX facility like so:

LOG_LINE='Dec 4 12:57:28 srv dovecot: pop3-login: Aborted login (auth failed, 1 attempts in 0 secs): user=, rip=69.64.58.110, lip=1.2.3.4, session=<IRLNi+SYwsJFQDpu>'
[[ $LOG_LINE =~ ^(.*)\ srv ]] &amp;&amp; echo "${BASH_REMATCH[1]}"

Result> Dec 4 12:57:28

As for the STRPTIME format specification, you can either write a C program to test your string, or maybe a website like this: http://www.strfti.me

Good luck!

@rodrigo-p-a
Copy link
Author

I forget put a sample of log line, sorry.
I use this website to debug: https://regex101.com/
Please look:

LOG LINE:
[2021-01-18 14:24:01] NOTICE[121559] chan_sip.c: Registration from '"205" <sip:[email protected]>' failed for '193.29.14.115:5836' - Wrong password

This regex:
NOTICE.*failed for.*'([0-9.a-f:]+):
result => 193.29.14.115

This regex:
(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})
result=> 2021-01-18 14:24:01

So i make this config:

LOGTYPE asterisk {

   DIR= /var/mcut/log/asterisk
   PREFIX= messages

   TIMESTAMP asterisk_ts {
      REGEX= (\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})
      STRPTIME= %Y-%m-%d %H:%M:%S
   }

   TARGET worm {
      REGEX =  NOTICE.*failed for.*'([0-9.a-f:]+):
   }

}

System work, block ips, but when got error in date .

Please, if you can, check when you have a time.

@jrbrtsn
Copy link
Owner

jrbrtsn commented Jan 18, 2021

There isn't much I can do without the error messages from ban2fail. I'm a software engineer, not a psychic ;-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrbrtsn @rodrigo-p-a